GDPR – The General Data Protection Regulation
What is it?
The General Data Protection Regulation (GDPR) is the standard that has been introduced by the European Union to help improve the protection of personal data.
It concerns the protection of personally identifiable data belonging to any resident of a member state.
GDPR has been developed in consultation with various members of the UK and European information security community. It is what is known as a “directive”. That is, a piece of legislation that becomes law across all member states as soon as it is fully approved. As the GDPR comes into effect in 2018, it will therefore become part of the UK legislation, prior to the formal disengagement with the EU. So even though the UK voted to leave the EU in June of 2016, many organisations will still be affected by this regulation as they do business with members of EU states.
Why do we have it?
All personal data is valuable. It is therefore sadly inevitable that there are members of society who want to steal it. In most cases these thefts deliver financial rewards to the criminal fraternity. Sometimes data is sold for illegal marketing purposes. But data theft can also be significantly more sinister. For example, taking control of information held about an individual, identity theft or its use in terrorism.
In this information driven age, it is of the utmost importance that secure systems are built and networks created to process this information. It is also vital to have a set of rules within which everyone operates.
It is interesting to note the personal data is “any data relating to an individual, whether it relates to their private, professional or public life”. This can be anything from a name, photo, email address, bank details, payment card number, mobile phone identifier (IMEI code) or computer IP Address. It even applies to posts on social networking sites. Also in scope is biometric data (face, finger prints, and voice recognition), DNA, IP addresses and mobile device identifiers. Many of these pieces of unique data are being considered by UK banks for authentication purposes and consequently, it is even more important that we protect them from unauthorised access.
What happens next
Anyone processing personal data belonging to a member of an EU state will need to comply with GDPR in much the same way as they have to comply with the UK Data Protection Laws. Unlike PCI, there is no central body monitoring compliance, so compliance is managed locally within each organisation. Under the GDPR, the independent Data Protection Officer (DPO) will be under a legal obligation to notify the Supervisory Authority of any infringement of the regulations without undue delay. It is also worth noting that under the new regulation any third parties which process data on someone else’s behalf will be just as accountable as the data processor.
Sanctions can now include regular data protection audits. As the penalties for data breaches are becoming more significant, compliance with the standard is becoming more and more important. Data Discovery is also a key part of compliance as it helps to identify any sensitive data that is held. It is also important to remove or sanitise any data that is no longer required.
SRM has operated in this environment for many years and our consultants are skilled at performing security assessments. In the event of a data breach, SRM has a fully accredited forensics lab that is able to assist in any investigation. We can also handle communications to relevant bodies, should the worst happen. Planning how to handle an incident is a key part of any Information Security program and SRM has a wealth of experience in running desk top exercises and working with policy makers to ensure that impact to the business is minimised.
Thanks, we've received your details.
We'll be in touch shortly to discuss your requirements. In the meantime, please download your exclusive free copy of SRM's Guide to Cyber Essentials below.
Download your free copy